3.1.1.6.1.4 Configurable State

Let C be the object in the config NC identified by the DN of "CN=Windows NT,CN=Services,CN=Configuration,<forest root DN>". C!dSHeuristics (section 6.1.1.2.4.1.2) is a Unicode string attribute, in which the 16^th character, dwAdminSDExMask, can optionally be set to cause the protection operation to exclude one or more protected objects.

The valid values of dwAdminSDExMask are the characters "0"–"9" and "a"–"f". The value is interpreted as a hex digit, of which each bit represents a specific set of security principals that is to be excluded from the AdminSDHolder protection operation.

The set of security principal objects that are excluded are a member, directly or transitively, of any group in the set defined by bits set in the list below:

• C!dSHeuristics[15] & 0x1 ≠ 0 then DOMAIN_ALIAS_RID_ACCOUNT_OPS

• C!dSHeuristics[15] & 0x2 ≠ 0 then DOMAIN_ALIAS_RID_SYSTEM_OPS

• C!dSHeuristics[15] & 0x4 ≠ 0 then DOMAIN_ALIAS_RID_PRINT_OPS

• C!dSHeuristics[15] & 0x8 ≠ 0 then DOMAIN_ALIAS_RID_BACKUP_OPS